summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>1999-12-26 14:04:33 +1100
committerDamien Miller <djm@mindrot.org>1999-12-26 14:04:33 +1100
commitd49621ea530ce976a17ba043eedba137c60bc10a (patch)
tree70d7e18e93018564fc595d6e4593f12ffaa2ebe1
parent780b376a372f4eefb4c7cda8a8dd2e15cc390c19 (diff)
- Disable logging of PAM success and failures, PAM is verbose enough.
Unfortunatly there is currently no way to disable auth failure messages. Mention this in UPGRADING file and sent message to PAM developers
-rw-r--r--ChangeLog4
-rw-r--r--UPGRADING8
-rw-r--r--sshd.c19
3 files changed, 21 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog
index 4a1810a9..e6b1695b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,10 @@
- Cleanup sshd.c PAM a little more
- Revised RPM package to include Jim Knoble's <jmknoble@pobox.com>
X11 ssh-askpass program.
+ - Disable logging of PAM success and failures, PAM is verbose enough.
+ Unfortunatly there is currently no way to disable auth failure
+ messages. Mention this in UPGRADING file and sent message to PAM
+ developers
19991225
- More fixes from Andre Lucas <andre.lucas@dial.pipex.com>
diff --git a/UPGRADING b/UPGRADING
index f9732cf5..854bd229 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -45,3 +45,11 @@ rid yourself of these message, edit you known_hosts files and replace
the incorrect key length (usually "1024") with the correct key length
(usually "1023").
+5. Spurious PAM authentication messages in logfiles
+
+OpenSSH will generate spurious authentication failures at every login,
+similar to "authentication failure; (uid=0) -> root for sshd service".
+These are generated because OpenSSH first tries to determine whether a
+user needs authentication to login (e.g. empty password). Unfortunatly
+PAM likes to log all authentication events, this one included.
+
diff --git a/sshd.c b/sshd.c
index 66df93d7..e3596de5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -11,7 +11,7 @@
*/
#include "includes.h"
-RCSID("$Id: sshd.c,v 1.42 1999/12/26 02:31:06 damien Exp $");
+RCSID("$Id: sshd.c,v 1.43 1999/12/26 03:04:33 damien Exp $");
#ifdef HAVE_POLL_H
# include <poll.h>
@@ -146,7 +146,7 @@ void do_child(const char *command, struct passwd * pw, const char *term,
#ifdef HAVE_LIBPAM
static int pamconv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr);
-int do_pam_auth(const char *user, const char *password, int quiet);
+int do_pam_auth(const char *user, const char *password);
void do_pam_account(char *username, char *remote_user);
void do_pam_session(char *username, char *ttyname);
void pam_cleanup_proc(void *context);
@@ -238,20 +238,19 @@ void pam_cleanup_proc(void *context)
}
}
-int do_pam_auth(const char *user, const char *password, int quiet)
+int do_pam_auth(const char *user, const char *password)
{
int pam_retval;
pampasswd = password;
- pam_retval = pam_authenticate((pam_handle_t *)pamh, quiet?PAM_SILENT:0);
+ pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
if (pam_retval == PAM_SUCCESS) {
- log("PAM Password authentication accepted for user \"%.100s\"", user);
+ debug("PAM Password authentication accepted for user \"%.100s\"", user);
return 1;
} else {
- if (!quiet)
- log("PAM Password authentication for \"%.100s\" failed: %s",
- user, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ debug("PAM Password authentication for \"%.100s\" failed: %s",
+ user, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
return 0;
}
}
@@ -1312,7 +1311,7 @@ do_authentication(char *user)
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif /* KRB4 */
#ifdef HAVE_LIBPAM
- do_pam_auth(pw->pw_name, "", 1)) {
+ do_pam_auth(pw->pw_name, "")) {
#else /* HAVE_LIBPAM */
auth_password(pw, "")) {
#endif /* HAVE_LIBPAM */
@@ -1523,7 +1522,7 @@ do_authloop(struct passwd * pw)
#ifdef HAVE_LIBPAM
/* Do PAM auth with password */
- authenticated = do_pam_auth(pw->pw_name, password, 0);
+ authenticated = do_pam_auth(pw->pw_name, password);
#else /* HAVE_LIBPAM */
/* Try authentication with the password. */
authenticated = auth_password(pw, password);